Free Malware Removal Forum

by **wimpy** » December 7th, 2008, 9:50 pm

Hullo,

First of all, this is for a home pc running win2k with sp4 installed.

Eset's NOD32 has bagged me recently with a threat called Win32/Banwor.NBY. However, NOD32 cannot remove the threat itself. There are four files comprised according to the antivirus's scan, They are all located at C\WINNT\system32\oobe. One of them is called msobweb2.dll, another is called msobcommw.dll, When trying to eliminate the file, NOD32 says it cannot as the file is blocked.

I haven't been able to find a way to remove the threat manually through either symantec or mcaffee, as they apparently name the threat another way.

My HijackThis log is posted below.

Thanks in advance for all your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:22:45, on 07-12-2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Cisco-Linksys LLC\Wireless-G Notebook Adapter with SRX400\WPC54GX4.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINNT\system32\oobe\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sonico.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: Banco do Brasil S.A. - {546D0BB7-6894-48D2-89EB-DFABF5E4EC7D} - C:\WINNT\system32\oobe\msobe.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RunUtility] C:\Program Files\Cisco-Linksys LLC\Wireless-G Notebook Adapter with SRX400\WPC54GX4.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [win32Kernel] c:\windows\findx.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm012YYCL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... .0.1.1.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0854992881
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installer ... taller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.fujifilm.cl/falabellav2/reve ... Upload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = larra_dom
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C20BBA4-3B4B-4E00-A492-DE31B1C809FC}: NameServer = 10.0.0.41,10.0.0.43
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = larra_dom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = larra_dom
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 8544 bytes

by **Katana** » December 23rd, 2008, 10:40 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

----------------------------------------------------------------------------------------

I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.

If you still require help please do the following

Download and Run RSIT

Please download Random's System Information Tool by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
- log.txt will be opened maximized.
- info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.

by **wimpy** » December 28th, 2008, 9:01 pm

Hi, thanks for the reply. Imagined you guys were really busy.

Here are the logs you asked. Thanks for your help.

1.- log.txt

Logfile of random's system information tool 1.05 (written by random/random)
Run by Administrator at 2008-12-28 21:51:08
Microsoft Windows 2000 Professional Service Pack 4
System drive C: has 3 GB (12%) free of 25 GB
Total RAM: 255 MB (10% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:51:40, on 28-12-2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Cisco-Linksys LLC\Wireless-G Notebook Adapter with SRX400\WPC54GX4.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Administrator\My Documents\Andy\Downloads\RISIT\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sonico.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Banco do Brasil S.A. - {546D0BB7-6894-48D2-89EB-DFABF5E4EC7D} - C:\WINNT\system32\oobe\msobe.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RunUtility] C:\Program Files\Cisco-Linksys LLC\Wireless-G Notebook Adapter with SRX400\WPC54GX4.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [win32Kernel] c:\windows\findx.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm012YYCL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... .0.1.1.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0854992881
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installer ... taller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.fujifilm.cl/falabellav2/reve ... Upload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = larra_dom
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C20BBA4-3B4B-4E00-A492-DE31B1C809FC}: NameServer = 10.0.0.41,10.0.0.43
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = larra_dom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = larra_dom
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 7746 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{546D0BB7-6894-48D2-89EB-DFABF5E4EC7D}]
GbiehObj Class - C:\WINNT\system32\oobe\msobe.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 184423]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINNT\system32\msdxm.ocx [2005-03-31 844560]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"=mobsync.exe /logon []
"DadApp"=C:\Program Files\DELL\AccessDirect\dadapp.exe [2001-03-29 188840]
"AtiPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2002-08-27 294912]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2001-04-13 94208]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2001-04-13 262144]
"AdaptecDirectCD"=C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe [2001-06-27 643072]
"LoadQM"=C:\WINNT\loadqm.exe [2000-05-03 7536]
"HPDJ Taskbar Utility"=C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe [2003-09-01 176128]
"HP Component Manager"=C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [2003-04-11 212992]
"NeroFilterCheck"=C:\WINNT\system32\NeroCheck.exe [2001-07-09 155648]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [2005-11-10 36975]
"RunUtility"=C:\Program Files\Cisco-Linksys LLC\Wireless-G Notebook Adapter with SRX400\WPC54GX4.exe [2005-10-31 16945152]
"nod32kui"=C:\Program Files\Eset\nod32kui.exe [2007-08-11 921600]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-09-03 98304]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"NBJ"=C:\Program Files\Ahead\Nero BackItUp\NBJ.exe [2004-11-30 1945600]
"ctfmon.exe"=C:\WINNT\system32\ctfmon.exe [2001-02-20 8192]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized []
"win32Kernel"=c:\windows\findx.exe []
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=149

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.scr - open - "C:\WINNT\notepad.exe" "%1"
.scr - install -
.scr - config -

======List of files/folders created in the last 3 months======

2008-12-28 21:51:08 ----D---- C:\rsit
2008-12-07 22:21:59 ----D---- C:\Program Files\Trend Micro
2008-12-06 21:40:32 ----D---- C:\Program Files\Ares
2008-10-13 16:13:22 ----D---- C:\WINNT\system32\oobe

======List of files/folders modified in the last 3 months======

2008-12-16 12:07:54 ----A---- C:\WINNT\SchedLgU.Txt

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Cdr4_2K;Cdr4_2K; C:\WINNT\system32\drivers\Cdr4_2K.sys [2003-10-25 53072]
R1 Cdralw2k;Cdralw2k; C:\WINNT\system32\drivers\Cdralw2k.sys [2003-10-25 22425]
R1 cdudf;cdudf; C:\WINNT\system32\drivers\cdudf.sys [2001-06-27 230048]
R1 PQNTDrv;PQNTDrv; C:\WINNT\system32\drivers\PQNTDrv.sys [2002-09-16 4228]
R1 pwd_2K;pwd_2K; C:\WINNT\system32\drivers\pwd_2K.sys [2001-06-27 67638]
R1 UdfReadr;UdfReadr; C:\WINNT\system32\drivers\UdfReadr.sys [2001-06-27 213472]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.3.0; C:\WINNT\system32\DRIVERS\AegisP.sys [2007-07-01 19387]
R2 AMON;AMON; \??\C:\WINNT\system32\drivers\amon.sys []
R2 Aspi32;Aspi32; C:\WINNT\system32\drivers\Aspi32.sys [1997-12-22 23936]
R2 irda;IrDA Protocol; C:\WINNT\system32\DRIVERS\irda.sys [2003-06-19 57296]
R2 Secdrv;Security Driver; C:\WINNT\system32\DRIVERS\SecDrv.sys [2006-09-13 20480]
R2 WNIPROT5;Airgo Networks Protocol Driver; \??\C:\WINNT\system32\WNIPROT5.SYS []
R2 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINNT\System32\drivers\ws2ifsl.sys [2001-05-08 12016]
R3 Airgo3P;Wireless-G Notebook Adapter with SRX400 Driver; C:\WINNT\system32\DRIVERS\TMIMO30P.sys [2005-10-30 884034]
R3 ati2mtai;ati2mtai; C:\WINNT\System32\DRIVERS\ati2mtai.sys [2002-11-18 347036]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINNT\System32\DRIVERS\CmBatt.sys [2003-06-19 9904]
R3 EL556;3Com 10/100 Mini PCI Ethernet Adapter NDIS5 Driver; C:\WINNT\System32\DRIVERS\EL556ND5.sys [2000-05-02 64120]
R3 maestro;ESS Maestro Audio Driver (WDM); C:\WINNT\system32\drivers\es198xdl.sys [2002-01-13 414720]
R3 mmc_2K;mmc_2K; C:\WINNT\system32\drivers\mmc_2K.sys [2001-06-27 18070]
R3 pfc;Padus ASPI Shell; C:\WINNT\system32\drivers\pfc.sys [2002-10-02 9856]
R3 Rasirda;WAN Miniport (IrDA Modem); C:\WINNT\system32\DRIVERS\rasirda.sys [2003-06-19 19920]
R3 RimSerPort;RIM Virtual Serial Port; C:\WINNT\system32\DRIVERS\RimSerial.sys [2005-05-04 17920]
R3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINNT\system32\DRIVERS\smcirda.sys [1999-09-24 36112]
R3 SynTP;Synaptics TouchPad Driver; C:\WINNT\System32\DRIVERS\SynTP.sys [2001-04-13 229168]
R3 uhcd;Microsoft USB Universal Host Controller Driver; C:\WINNT\System32\DRIVERS\uhcd.sys [2003-06-19 32848]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINNT\System32\DRIVERS\usbhub.sys [2003-06-19 40176]
R3 WDHABBG;WDHABBGMiniPCI Winmodem; C:\WINNT\system32\DRIVERS\WDHABBG.sys [2000-12-13 704960]
S2 HidUsb;Microsoft HID Class Driver; C:\WINNT\system32\DRIVERS\hidusb.sys [1999-10-04 13904]
S3 a4c1iygk;a4c1iygk; C:\WINNT\system32\drivers\a4c1iygk.sys []
S3 ahso705j;ahso705j; C:\WINNT\system32\drivers\ahso705j.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINNT\System32\DRIVERS\CCDECODE.sys [2004-07-09 16384]
S3 dvd_2K;dvd_2K; C:\WINNT\system32\drivers\dvd_2K.sys [2001-06-27 9590]
S3 FVNETD;ATMEL PCMCIA FastVNET (502A-D); C:\WINNT\system32\DRIVERS\fvnetd.sys [2004-03-17 91008]
S3 mouhid;Mouse HID Driver; C:\WINNT\system32\DRIVERS\mouhid.sys [2003-06-19 11632]
S3 MPE;BDA MPE Filter; C:\WINNT\System32\DRIVERS\MPE.sys [2004-07-09 15104]
S3 MSIRCOMM;Microsoft IR Communications Driver; C:\WINNT\system32\DRIVERS\MSIRCOMM.sys [2003-06-19 20208]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\system32\drivers\MSTEE.sys [2002-12-12 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\System32\DRIVERS\NABTSFEC.sys [2004-07-09 83968]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINNT\System32\DRIVERS\NdisIP.sys [2004-07-09 10112]
S3 OM518P;VGA USB Camera (2120); C:\WINNT\System32\Drivers\om518vid.sys [2002-06-27 185256]
S3 PCANDIS5;PCANDIS5 Protocol Driver; \??\C:\WINNT\system32\PCANDIS5.SYS []
S3 RimUsb;Dispositivo de bosillo RIM; C:\WINNT\System32\Drivers\RimUsb.sys [2005-01-31 17286]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINNT\System32\Drivers\RootMdm.sys [2001-05-08 6032]
S3 rtl8180;IEEE 802.11b Wireless Cardbus/PCI Adapter; C:\WINNT\system32\DRIVERS\rtl8180.SYS []
S3 SLIP;BDA Slip De-Framer; C:\WINNT\System32\DRIVERS\SLIP.sys [2004-07-09 10880]
S3 sonypvs1;Sony Digital Imaging Video2; C:\WINNT\system32\DRIVERS\sonypvs1.sys [2002-10-15 102220]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINNT\system32\DRIVERS\SONYPVU1.SYS [2002-07-10 7921]
S3 SQTECH905C;DualCamera; C:\WINNT\System32\Drivers\Capt905c.sys [2005-01-25 33307]
S3 streamip;BDA IPSink; C:\WINNT\System32\DRIVERS\StreamIP.sys [2004-07-09 14976]
S3 TNET1130;D-Link AirPlus XtremeG+ Wireless Adapter; C:\WINNT\system32\DRIVERS\GPlus.sys [2003-08-13 162313]
S3 usbaudio;USB Audio Driver (WDM); C:\WINNT\system32\drivers\usbaudio.sys [1999-10-12 68912]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\system32\DRIVERS\usbprint.sys [2003-06-19 21872]
S3 USBSTOR;USB Mass Storage Driver; C:\WINNT\system32\DRIVERS\USBSTOR.SYS [2003-06-19 21552]
S3 WRSWanDD;iVasion PoET Adapter; C:\WINNT\system32\DRIVERS\WrKPoETNic2000.sys [2000-10-30 73772]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\System32\DRIVERS\WSTCODEC.SYS [2004-07-09 18688]
S4 dmload;dmload; C:\WINNT\System32\drivers\dmload.sys [2003-06-19 7312]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINNT\system32\Ati2evxx.exe [2002-11-18 147456]
R2 Irmon;Infrared Monitor; C:\WINNT\system32\svchost.exe [2001-05-08 7952]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 NOD32krn;NOD32 Kernel Service; C:\Program Files\Eset\nod32krn.exe [2007-08-11 507904]
R2 StiSvc;Still Image Service; C:\WINNT\system32\stisvc.exe [2003-06-19 61712]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINNT\system32\mspmspsv.exe [2001-10-01 53248]
S3 aspnet_state;ASP.NET State Service; C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 Autodesk Licensing Service;Autodesk Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2004-08-01 74360]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

-----------------EOF-----------------

2.- info.txt

info.txt logfile of random's system information tool 1.05 2008-12-28 21:51:53

======Uninstall list======

-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINNT\UNNeroVision.exe /UNINSTALL
-->C:\WINNT\UNNMP.exe /UNINSTALL
101 Dálmatas Libro Animado Interactivo-->C:\DISNEY\101_ASB.ES\101DEL95.EXE
3Com 56K V.90 Mini PCI Modem-->C:\WINNT\3CWMUNST.EXE WDHABBG
Ad-Aware SE Personal-->C:\PROGRA~1\LAVASOFT\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~1\INSTALL.LOG
Adobe Atmosphere Player for Acrobat and Adobe Reader-->C:\WINNT\atmoUn.exe
Adobe Download Manager 1.2 (Remove Only)-->"C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX-->C:\WINNT\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop Album 2.0 Starter Edition-->MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24}
Adobe Reader 7.0.8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Aprender con los Pitufos-->C:\INFOGRAM\SMURFED\UNWISE.EXE /A /S C:\WINNT\SMURFED.LOG
ArcSoft Camera Suite-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AE6F8DC5-8639-4E7F-A0FE-EEB0522FCAAC}\Setup.exe" -l0xa
Ares 2.1.0-->"C:\Program Files\Ares\uninstall.exe"
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver Utilities-->rundll32 C:\WINNT\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AutoCAD 2005 - English-->MsiExec.exe /I{5783F2D7-0301-0409-0002-0060B0CE6BBA}
Autodesk DWF Viewer-->C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove
BitTorrent 4.0.2-->"C:\Program Files\BitTorrent\uninstall.exe"
BlackBerry Desktop Software 4.0.1-->MsiExec.exe /I{66E760E5-3DFF-4EED-9343-105AEE0D2702}
BlackBerry Desktop Software 4.0.1-->MsiExec.exe /i{66E760E5-3DFF-4EED-9343-105AEE0D2702}
BlackBerry v4.1.0 para el dispositivo inalámbrico 7290-->MsiExec.exe /X{4664B427-9931-4F5E-9FC8-59DF459F17F0}
Crea y dibuja con Disney 2-->C:\WINNT\IsUn040a.exe -fC:\ARCHIV~1\DISNEY~1\CREAYD~1\DeIsL1.isu
Dell AccessDirect-->C:\WINNT\IsUn040a.exe -f"C:\Program Files\DELL\AccessDirect\Uninst.isu" -c"C:\Program Files\DELL\AccessDirect\Uninst.dll
Disney's Mickey Mouse Kindergarten-->C:\WINNT\IsUninst.exe -f"C:\Program Files\Disney Interactive\Mickey Mouse Kindergarten\DeIsL1.isu" -c"C:\Program Files\Disney Interactive\Mickey Mouse Kindergarten\Saved Games\Uninst.dll
Easy CD Creator 5 Basic-->MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
EAX Unified-->C:\WINNT\IsUninst.exe -f"C:\Program Files\Creative\EAX Unified\Uninst.isu"
El Conejo Lector - Kinder-->C:\WINNT\unin040a.exe -fC:\TLCWIN\RRK\uninstal\DeIsL1.isu
El Conejo Lector - PREESCOLAR-->C:\WINNT\unin040a.exe -fC:\TLCWIN\RRP\uninstal\DeIsL1.isu
EncFlac 1.1.2-->"C:\Program Files\Winamp\EncFlac-Uninstall.exe"
EncVorbis 1.1-->"C:\Program Files\Winamp\EncVorbis-Uninstall.exe"
FileMaker Pro 7-->MsiExec.exe /I{65FA5E6D-B3D7-46D9-9571-CBBA1968346B}
GenoPro-->C:\Program Files\GenoPro\Uninstall.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for MDAC 2.71 (KB911562)-->"C:\WINNT\$SQLUninstallMDAC27SP1-KB911562-x86-ENU$\spuninst\spuninst.exe"
hp deskjet 3600-->msiexec /x{7CA32143-2DAC-4F5F-9BAA-2AB3707EF192}
hp print screen utility-->C:\Program Files\Hewlett-Packard\hp print screen utility\UnInstall\prnunins.exe
Image Transfer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{564A8DD3-70BC-4018-A5C3-7CEB10BBB6E9}\Setup.exe" UNINSTALL
ImageMixer for Sony-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1B4AA674-F5CA-4BB5-831A-CD37B4021959}\setup.exe"
InterVideo WinDVD-->C:\WINNT\IsUninst.exe -f"C:\Program Files\InterVideo\WinDVD\Uninst.isu"
IsoBuster 1.6-->"C:\Program Files\Smart Projects\IsoBuster\Uninst\unins000.exe"
J2SE Runtime Environment 5.0 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150010}
J2SE Runtime Environment 5.0 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
J2SE Runtime Environment 5.0 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150050}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Kodak Gallery Client3.3.0.3-->"C:\Program Files\Kodak Gallery Client\unins000.exe"
Letterland-->C:\WINNT\IsUninst.exe -f"C:\Program Files\Collins\Letterland\Uninst.isu"
LimeWire 4.14.10-->"C:\Program Files\LimeWire\uninstall.exe"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Professional 2003-->MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9}
Microsoft VGX Q833989-->C:\WINNT\vgxuninst.exe C:\WINNT\INF\Q833989.inf
Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MPAM1 - Contar y Agrupar-->C:\WINNT\uninst.exe -r"Zeta Multimedia\MPAM1 - Contar y Agrupar\1.0.0.0" -n"MPAM1 - Contar y Agrupar" -fC:\ARCHIV~1\ZETAMU~1\MPAM1-~1\DeIsL2.isu -cC:\ARCHIV~1\ZETAMU~1\MPAM1-~1\uninst.dll
MSN Messenger 7.0-->MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314600820}
MyDSC2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{83D96ED0-98AA-4515-8DDC-816F3EFDD104}\Setup.exe" -l0x9
Myst III EXILE Patch 1.22-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A4B28C95-9883-11D5-9E9D-0050DA1EA555}\Setup.exe"
Myst III: Exile-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F05B89E-2873-11D5-9E9D-0050DA1EA555}\setup.exe"
Nero Suite-->C:\Program Files\Common Files\Ahead\Uninstall\setup.exe /uninstall ExtraUninstallID=""
NOD32 antivirus system-->C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX v2.1-->"C:\Program Files\Eset\unins000.exe"
Palm Desktop-->MsiExec.exe /X{7DBBC522-F642-4D6C-A03F-22E49EB63437}
PowerQuest PartitionMagic 8.0-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}
Primeros Pasos-->C:\WINNT\unin040a.exe -fC:\TLCWIN\RRT\uninstal\DeIsL1.isu
PsicoDicc-->c:\psicologia.cl\Uninstal.exe
QuickTime-->C:\WINNT\unvise32qt.exe C:\WINNT\system32\QuickTime\Uninstall.log
Security Update for Windows 2000 (KB904706)-->"C:\WINNT\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\WINNT\$NtUninstallKB911564$\spuninst\spuninst.exe"
Sony USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
Spelling Dictionaries For Adobe Reader Package-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-7E8A450000A7}
SPSS 11.5.1 para Windows-->C:\WINNT\unin040a.exe -f"C:\Program Files\SPSS\DeIsL1.isu" -c"C:\Program Files\SPSS\uninst.dll
Symantec Technical Support Web Controls-->MsiExec.exe /X{C4868E88-F5B5-4E45-9592-C7062BD97441}
Synaptics TouchPad-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Update Rollup 1 for Windows 2000 SP4-->"C:\WINNT\$NtUpdateRollupPackUninstall$\spuninst\spuninst.exe"
VGA USB Camera (2120)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85BA1253-1D64-468B-8ADA-EFDFD31AD4E2}\Setup.exe" -l0xa
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
Windows 2000 Hotfix - KB829558-->C:\WINNT\$NtUninstallKB829558$\spuninst\spuninst.exe
Windows 2000 Hotfix - KB833407-->C:\WINNT\$NtUninstallKB833407$\spuninst\spuninst.exe
Windows 2000 Hotfix - KB842773-->C:\WINNT\$NtUninstallKB842773$\spuninst\spuninst.exe
Windows 2000 Hotfix - KB890046-->"C:\WINNT\$NtUninstallKB890046$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB893756-->"C:\WINNT\$NtUninstallKB893756$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB896358-->"C:\WINNT\$NtUninstallKB896358$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB896422-->"C:\WINNT\$NtUninstallKB896422$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB896423-->"C:\WINNT\$NtUninstallKB896423$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB896424-->"C:\WINNT\$NtUninstallKB896424$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB899587-->"C:\WINNT\$NtUninstallKB899587$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB899589-->"C:\WINNT\$NtUninstallKB899589$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB900725-->"C:\WINNT\$NtUninstallKB900725$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB901017-->"C:\WINNT\$NtUninstallKB901017$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB901214-->"C:\WINNT\$NtUninstallKB901214$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB905414-->"C:\WINNT\$NtUninstallKB905414$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB905495-->"C:\WINNT\$NtUninstallKB905495-IE6SP1-20050805.184113$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB905749-->"C:\WINNT\$NtUninstallKB905749$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB908519-->"C:\WINNT\$NtUninstallKB908519$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB908523-->"C:\WINNT\$NtUninstallKB908523$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB908531-->"C:\WINNT\$NtUninstallKB908531$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB911280-->"C:\WINNT\$NtUninstallKB911280$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB911567-->"C:\WINNT\$NtUninstallKB911567-OE6SP1-20060316.165634$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB912919-->"C:\WINNT\$NtUninstallKB912919$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB913580-->"C:\WINNT\$NtUninstallKB913580$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB914389-->"C:\WINNT\$NtUninstallKB914389$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB916281-->"C:\WINNT\$NtUninstallKB916281-IE6SP1-20060526.162249$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB917736-->"C:\WINNT\$NtUninstallKB917736$\spuninst\spuninst.exe"
Windows 2000 Hotfix - KB917953-->"C:\WINNT\$NtUninstallKB917953$\spuninst\spuninst.exe"
Windows 2000 Hotfix (SP5) Q818043-->C:\WINNT\$NtUninstallQ818043$\spuninst\spuninst.exe
Windows Installer 3.1 (KB893803)-->"C:\WINNT\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Player Hotfix [See Q828026 for more information]-->C:\WINNT\$NtUninstallQ828026$\spuninst\spuninst.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Wireless-G Notebook Adapter with SRX400-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{30CCA81B-4951-4751-986D-14388D9F4FFC}\setup.exe" -l0x9
Yahoo! Fotos – Carga fácil de fotos 1v4-->C:\WINNT\system32\regsvr32 /u /s "C:\WINNT\Downloaded Program Files\YDropperE1.dll"
Yahoo! Fotos – Carga fácil de fotos 1v6-->C:\WINNT\system32\regsvr32 /u /s "C:\WINNT\Downloaded Program Files\YDropperE1.dll"
Yahoo! Fotos – Carga fácil de fotos 1v7-->C:\WINNT\system32\regsvr32 /u /s "C:\WINNT\Downloaded Program Files\YDropperE1.dll"

System event log

Computer Name: NB-ABERGOEING
Event Code: 54
Message: The Windows Time Service was not able to find a Domain Controller. A time and date update was not possible.

Record Number: 5
Source Name: w32time
Time Written: 20080825134821.000000-180
Event Type: warning
User:

Computer Name: NB-ABERGOEING
Event Code: 105
Message: The service was started.

Record Number: 4
Source Name: Ati HotKey Poller
Time Written: 20080825134813.000000-180
Event Type: information
User:

Computer Name: NB-ABERGOEING
Event Code: 6005
Message: The Event log service was started.

Record Number: 3
Source Name: EventLog
Time Written: 20080825134805.000000-180
Event Type: information
User:

Computer Name: NB-ABERGOEING
Event Code: 6009
Message: Microsoft (R) Windows 2000 (R) 5.0 2195 Service Pack 4 Uniprocessor Free.

Record Number: 2
Source Name: EventLog
Time Written: 20080825134805.000000-180
Event Type: information
User:

Computer Name: NB-ABERGOEING
Event Code: 5719
Message: No Windows NT or Windows 2000 Domain Controller is available for domain LARRA_DOM.
The following error occurred:
There are currently no logon servers available to service the logon request.

Record Number: 1
Source Name: NETLOGON
Time Written: 20080825134806.000000-180
Event Type: error
User:

Application event log

Computer Name: NB-ABERGOEING
Event Code: 105
Message: The service was started.

Record Number: 5
Source Name: WMDM PMSP Service
Time Written: 20071220165043.000000-120
Event Type: information
User:

Computer Name: NB-ABERGOEING
Event Code: 1000
Message: Windows could not save the registry settings in your user profile on its first try because another program or service was editing them. Windows tried again and saved them after 14 attempts.

Record Number: 4
Source Name: Userenv
Time Written: 20071220164902.000000-120
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: NB-ABERGOEING
Event Code: 105
Message: The service was started.

Record Number: 3
Source Name: WMDM PMSP Service
Time Written: 20071219154810.000000-120
Event Type: information
User:

Computer Name: NB-ABERGOEING
Event Code: 4098
Message: The COM+ Event System failed to fire the Logoff method on subscription {82F27B47-94AB-4819-B2B2-B1C61BCB81A4}. The subscriber returned HRESULT 800706BF.
Record Number: 2
Source Name: EventSystem
Time Written: 20071219113351.000000-120
Event Type: warning
User:

Computer Name: NB-ABERGOEING
Event Code: 105
Message: The service was started.

Record Number: 1
Source Name: WMDM PMSP Service
Time Written: 20071219104926.000000-120
Event Type: information
User:

======Environment variables======

"CLASSPATH"="C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip"
"ComSpec"=%SystemRoot%\system32\cmd.exe
"NUMBER_OF_PROCESSORS"=1
"OS"=Windows_NT
"Os2LibPath"=%SystemRoot%\system32\os2\dll;
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Autodesk Shared\;C:\PROGRA~1\COMMON~1\Odbc\FILEMA~1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 8 Stepping 10, GenuineIntel
"PROCESSOR_LEVEL"=6
"PROCESSOR_REVISION"=080a
"QTJAVA"="C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip"
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%
"VERSION"=3.0.5.001
"SESSIONID"=1120311590878htx60561b5a415:104e0e451be:bc6
"COLLECTIONID"=COL8143
"ITEMID"=dj-22741-15
"UPDATEDIR"=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rad8FD57.tmp
"TOOLPATH"=/C:\Program%20Files\Hewlett-Packard\HP%20Software%20Update\install.htm
"HMSERVER"=https://wwss1pro.cce.hp.com/wuss/servlet/WUSSServlet
"SWUTVER"=1.0.18.30716
"OSVER"=win2KP
"LANG"=13322
"TIMEOUT"=0
"PROCESSOR_DUMP"=1
"PROCESSOR_CORE"=32

-----------------EOF-----------------

by **Katana** » December 29th, 2008, 6:09 am

REMOVE P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Ares 2.1.0
BitTorrent 4.0.2
LimeWire 4.14.10

Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected.
The bad guys use P2P filesharing as a major conduit to spread their wares.

Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.

Post back a new HijackThis, so we can continue cleaning your pc.

----------------------------------------------------------- -----------------------------------------------------------

RE.
NOD32 FiX v2.1

The only information I can find on this points to it being a "Crack" to allow the trial version of NOD32 to continue working

Cracks, Keygens and Warez

In doing the crack, the 'cracker' has broken the 'End User Licence Agreement' (EULA) of the product.
The distribution and use of cracked copies is illegal in almost every developed country.
They are also one of the biggest causes of infection.

This applies to Cracks, Keygens and Warez

In the future I strongly suggest you stay away from using cracks and/or Keygens.

----------------------------------------------------------- -----------------------------------------------------------

==============================WARNING==============================
There is some evidence of what may be a very nasty infection.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:

Back up all important data on the machine.
If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
Take any other steps you think appropriate for an attempted identity theft.

==============================WARNING==============================

by **wimpy** » December 30th, 2008, 8:45 pm

Hi,

Thanks for the advice. This is an old computer which I do not use regularly, and surely not when managing bank accounts. This NB was used for some time by another person which installed the P2P software and perhaps another software and surely the malware I'm trying to get rid off.

Here is the new HJT log after uninstalling the P2P programs you mentioned.

Thks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:33:13, on 30-12-2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Cisco-Linksys LLC\Wireless-G Notebook Adapter with SRX400\WPC54GX4.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sonico.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Banco do Brasil S.A. - {546D0BB7-6894-48D2-89EB-DFABF5E4EC7D} - C:\WINNT\system32\oobe\msobe.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RunUtility] C:\Program Files\Cisco-Linksys LLC\Wireless-G Notebook Adapter with SRX400\WPC54GX4.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [win32Kernel] c:\windows\findx.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm012YYCL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... .0.1.1.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0854992881
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installer ... taller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.fujifilm.cl/falabellav2/reve ... Upload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = larra_dom
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C20BBA4-3B4B-4E00-A492-DE31B1C809FC}: NameServer = 10.0.0.41,10.0.0.43
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = larra_dom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = larra_dom
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 7659 bytes

by **Katana** » December 31st, 2008, 5:29 am

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partne ... bscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Please post both logs in your reply

by **wimpy** » December 31st, 2008, 3:44 pm

Hi, just one question. I'm running win2k, not xp, not vista. Does this combofix jig run on this platform. The tutorial treats extensively about the windows recovery console for winxp, but i'm not sure it applies for win2k. Any advise/help is appreciated before I burn my pc to death completely.

Thks

by **Katana** » December 31st, 2008, 4:59 pm

Combofix "used" to run on W2K, however the developer has mentioned that this may be phased out sometime.
If it is no longer compatible, then it will say so and not run. No damage will be caused.

There is no recovery download for W2K, so just disable your security programs and double click Combofix.

by **wimpy** » January 1st, 2009, 9:59 pm

OK, my machine is still working after running Combofix. Followed instructions and everything went through quite swiftly.

Here's the log from Combofix. Will await further instructions.

Thks

ComboFix 08-12-31.01 - Administrator 01-01-2009 22:37:32.1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.255.56 [GMT -2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Starware
c:\program files\screensavers.com
c:\program files\screensavers.com\Wallpaper\swpstart.exe
c:\winnt\a3kebook.ini
c:\winnt\akebook.ini
c:\winnt\ANS2000.INI
c:\winnt\bobsaver.exe
c:\winnt\bobsaver.scr
c:\winnt\Downloaded Program Files\setup.inf
c:\winnt\IE4 Error Log.txt
c:\winnt\system32\UpMedia
c:\winnt\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE

((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.

2008-12-28 21:51 . 08-12-28 21:51 <DIR> d-------- C:\rsit
2008-12-10 22:27 . 08-12-29 22:09 54,156 --ah----- c:\winnt\QTFont.qfn
2008-12-10 22:27 . 08-12-10 22:27 1,409 --a------ c:\winnt\QTFont.for
2008-12-07 22:21 . 08-12-07 22:22 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2003-10-25 20:59 271 ---h--w c:\program files\desktop.ini
2003-10-25 20:59 21,952 ---h--w c:\program files\folder.htt
2001-05-08 14:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
2001-02-15 18:39 239,689 ----a-w c:\winnt\inf\ati2dvai.dll
2003-10-25 20:44 5,769 --sha-w c:\winnt\utapi32.dll
2003-10-25 20:44 1,822 --sha-w c:\winnt\rreg32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [04-11-30 12:36 1945600]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [06-03-30 16:45 313472]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 8192 c:\winnt\system32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DadApp"="c:\program files\DELL\AccessDirect\dadapp.exe" [01-03-29 15:19 188840]
"AtiPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [02-08-27 16:57 294912]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [01-04-13 09:39 94208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [01-04-13 09:38 262144]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [01-06-27 11:51 643072]
"HPDJ Taskbar Utility"="c:\winnt\system32\spool\drivers\w32x86\3\hpztsb09.exe" [03-09-01 08:42 176128]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [03-04-11 15:25 212992]
"NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [01-07-09 10:50 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [05-11-10 13:03 36975]
"RunUtility"="c:\program files\Cisco-Linksys LLC\Wireless-G Notebook Adapter with SRX400\WPC54GX4.exe" [05-10-31 04:17 16945152]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [07-08-11 00:07 921600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [07-09-03 21:14 98304]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 c:\winnt\system32\mobsync.exe]
"LoadQM"="loadqm.exe" [00-05-03 17:23 7536 c:\winnt\loadqm.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [07-09-04 23:40 6856704]
"internat.exe"="internat.exe" [01-05-08 12:00 20752 c:\winnt\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Image Transfer.lnk - c:\program files\Sony Corporation\Image Transfer\SonyTray.exe [2004-06-05 73728]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-02-24 10872]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\DRIVERS\SONYPVM1.SYS [2004-01-21 28224]
R1 cdudf;cdudf;c:\winnt\system32\drivers\cdudf.sys [2001-06-27 230048]
R3 ati2mtai;ati2mtai;c:\winnt\system32\DRIVERS\ati2mtai.sys [2004-04-11 347036]
R3 EL556;3Com 10/100 Mini PCI Ethernet Adapter NDIS5 Driver;c:\winnt\system32\DRIVERS\EL556ND5.sys [2000-05-02 64120]
R3 maestro;ESS Maestro Audio Driver (WDM);c:\winnt\system32\drivers\es198xdl.sys [2002-01-13 414720]
R3 WDHABBG;WDHABBGMiniPCI Winmodem;c:\winnt\system32\DRIVERS\WDHABBG.sys [2000-12-13 704960]
S3 Airgo3P;Wireless-G Notebook Adapter with SRX400 Driver;c:\winnt\system32\DRIVERS\TMIMO30P.sys [2007-07-01 884034]
S3 FVNETD;ATMEL PCMCIA FastVNET (502A-D);c:\winnt\system32\DRIVERS\fvnetd.sys [2004-04-07 91008]
S3 rtl8180;IEEE 802.11b Wireless Cardbus/PCI Adapter;c:\winnt\system32\DRIVERS\rtl8180.SYS []
S3 TNET1130;D-Link AirPlus XtremeG+ Wireless Adapter;c:\winnt\system32\DRIVERS\GPlus.sys [2004-04-11 162313]
S3 WRSWanDD;iVasion PoET Adapter;c:\winnt\system32\DRIVERS\WrKPoETNic2000.sys [2004-04-02 73772]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Skype - c:\program files\Skype\Phone\Skype.exe
HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.emol.com/
mSearch Bar = hxxp://red.clientapps.yahoo.com/customi ... earch.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm012YYCL
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: %SystemRoot%\system32\msafd.dll
TCP: {4C20BBA4-3B4B-4E00-A492-DE31B1C809FC} = 10.0.0.41,10.0.0.43

O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nzglonzt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-01 22:46:13
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(224)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2009-01-01 22:48:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-02 00:48:34

Pre-Run: 3.050.733.568 bytes free
Post-Run: 3,630,317,568 bytes free

140

by **Katana** » January 2nd, 2009, 6:32 am

Do you have the Kaspersky Log ?

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If requested, please reboot
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

by **wimpy** » January 2nd, 2009, 8:24 am

Hi,

I don't have the Kaspersky log, but with instructions I can surely provide it.

I will follow the rest of the instructions (malwarebytes' anti-malware) unless you prefer me to post the Kaspersky log first.

Thks

by **Katana** » January 2nd, 2009, 3:38 pm

wimpy wrote:I don't have the Kaspersky log, but with instructions I can surely provide it.

I'm not sure what instructions you mean, either you saved the kaspersky log as previously instructed or you didn't ??

Please run MBAM and post the log regardless

by **wimpy** » January 3rd, 2009, 12:51 am

My mistake!

Now, after about three kettles boiled and calmly sipped the tea I have the Kasperski log. As well, the MBAM log.

Thks.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, January 3, 2009
Operating System: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, January 02, 2009 21:54:46
Records in database: 1549910
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 47493
Threat name: 5
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 03:30:16

File name / Threat name / Threats count
C:\WINNT\system32\oobe\oobeinfo.exe Infected: Trojan.Win32.Pakes.lqg 1
C:\Program Files\ESET\infected\LYGU1KDA.NQF Infected: not-a-virus:AdWare.Win32.Beginto.f 2
C:\Program Files\ESET\infected\A5ZYLHCA.NQF Infected: not-a-virus:AdWare.Win32.SaveNow.bj 1
C:\Program Files\ESET\infected\NLNLTNDA.NQF Infected: Trojan-Spy.Win32.Agent.aan 1
C:\Program Files\ESET\infected\HIJOGAAA.NQF Infected: Trojan-Spy.Win32.Delf.ema 1

The selected area was scanned.

Malwarebytes' Anti-Malware 1.31
Database version: 1599
Windows 5.0.2195 Service Pack 4

03-01-2009 01:42:04
mbam-log-2009-01-03 (01-42-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 91817
Time elapsed: 24 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

by **Katana** » January 3rd, 2009, 12:25 pm

Fix With HJT

Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html

O2 - BHO: Banco do Brasil S.A. - {546D0BB7-6894-48D2-89EB-DFABF5E4EC7D} - C:\WINNT\system32\oobe\msobe.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKCU\..\Run: [win32Kernel] c:\windows\findx.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm012YYCL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... .0.1.1.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installer ... taller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code: Select all

File::
C:\WINNT\system32\oobe\msobe.dll
C:\WINNT\system32\oobe\msobweb2.dll
C:\WINNT\system32\oobe\msobcommw.dll
C:\WINNT\system32\oobe\spoolsv.exe
C:\WINNT\system32\oobe\oobeinfo.exe

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

Combofix Log
A fresh HJT log
How are things running now ?

by **wimpy** » January 3rd, 2009, 2:21 pm

Hi,

here are the ComboFix and HJT logs requested. Things appear to be fine. At least the files the AV detected as malware are gone. Should I test further for other malware?

ComboFix 09-01-01.02 - Administrator 03-01-2009 15:02:30.2 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.255.100 [GMT -2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\winnt\system32\oobe\msobcommw.dll
c:\winnt\system32\oobe\msobe.dll
c:\winnt\system32\oobe\msobweb2.dll
c:\winnt\system32\oobe\oobeinfo.exe
c:\winnt\system32\oobe\spoolsv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\oobe\msobcommw.dll
c:\winnt\system32\oobe\msobe.dll
c:\winnt\system32\oobe\msobweb2.dll
c:\winnt\system32\oobe\oobeinfo.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2009-01-03 15:01 . 03-01-09 15:01 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_38c.dat
2009-01-03 01:14 . 03-01-09 01:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 01:14 . 03-01-09 01:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-03 01:14 . 03-01-09 01:14 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-03 01:14 . 03-12-08 19:52 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2009-01-03 01:14 . 03-12-08 19:52 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2008-12-28 21:51 . 28-12-08 21:51 <DIR> d-------- C:\rsit
2008-12-10 22:27 . 29-12-08 22:09 54,156 --ah----- c:\winnt\QTFont.qfn
2008-12-10 22:27 . 10-12-08 22:27 1,409 --a------ c:\winnt\QTFont.for
2008-12-07 22:21 . 07-12-08 22:22 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2003-10-25 20:59 271 ---h--w c:\program files\desktop.ini
2003-10-25 20:59 21,952 ---h--w c:\program files\folder.htt
2001-05-08 14:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
2001-02-15 18:39 239,689 ----a-w c:\winnt\inf\ati2dvai.dll
2003-10-25 20:44 5,769 --sha-w c:\winnt\utapi32.dll
2003-10-25 20:44 1,822 --sha-w c:\winnt\rreg32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [30-11-04 12:36 1945600]
"ctfmon.exe"="ctfmon.exe" [20-02-01 13:09 8192 c:\winnt\system32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DadApp"="c:\program files\DELL\AccessDirect\dadapp.exe" [29-03-01 15:19 188840]
"AtiPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [27-08-02 16:57 294912]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [13-04-01 09:39 94208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [13-04-01 09:38 262144]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [27-06-01 11:51 643072]
"HPDJ Taskbar Utility"="c:\winnt\system32\spool\drivers\w32x86\3\hpztsb09.exe" [01-09-03 08:42 176128]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [11-04-03 15:25 212992]
"NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [09-07-01 10:50 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [10-11-05 13:03 36975]
"RunUtility"="c:\program files\Cisco-Linksys LLC\Wireless-G Notebook Adapter with SRX400\WPC54GX4.exe" [31-10-05 04:17 16945152]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [11-08-07 00:07 921600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [03-09-07 21:14 98304]
"Synchronization Manager"="mobsync.exe" [19-06-03 12:05 111376 c:\winnt\system32\mobsync.exe]
"LoadQM"="loadqm.exe" [03-05-00 17:23 7536 c:\winnt\loadqm.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [04-09-07 23:40 6856704]
"internat.exe"="internat.exe" [08-05-01 12:00 20752 c:\winnt\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [19-06-03 12:05 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Image Transfer.lnk - c:\program files\Sony Corporation\Image Transfer\SonyTray.exe [2004-06-05 73728]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-02-24 10872]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\DRIVERS\SONYPVM1.SYS [2004-01-21 28224]
R1 cdudf;cdudf;c:\winnt\system32\drivers\cdudf.sys [2001-06-27 230048]
R3 ati2mtai;ati2mtai;c:\winnt\system32\DRIVERS\ati2mtai.sys [2004-04-11 347036]
R3 EL556;3Com 10/100 Mini PCI Ethernet Adapter NDIS5 Driver;c:\winnt\system32\DRIVERS\EL556ND5.sys [2000-05-02 64120]
R3 maestro;ESS Maestro Audio Driver (WDM);c:\winnt\system32\drivers\es198xdl.sys [2002-01-13 414720]
R3 WDHABBG;WDHABBGMiniPCI Winmodem;c:\winnt\system32\DRIVERS\WDHABBG.sys [2000-12-13 704960]
S3 Airgo3P;Wireless-G Notebook Adapter with SRX400 Driver;c:\winnt\system32\DRIVERS\TMIMO30P.sys [2007-07-01 884034]
S3 FVNETD;ATMEL PCMCIA FastVNET (502A-D);c:\winnt\system32\DRIVERS\fvnetd.sys [2004-04-07 91008]
S3 rtl8180;IEEE 802.11b Wireless Cardbus/PCI Adapter;c:\winnt\system32\DRIVERS\rtl8180.SYS []
S3 TNET1130;D-Link AirPlus XtremeG+ Wireless Adapter;c:\winnt\system32\DRIVERS\GPlus.sys [2004-04-11 162313]
S3 WRSWanDD;iVasion PoET Adapter;c:\winnt\system32\DRIVERS\WrKPoETNic2000.sys [2004-04-02 73772]

*Newly Created Service* - MBAMSWISSARMY
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.emol.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\winnt\system32\imon.dll
LSP: %SystemRoot%\system32\msafd.dll
TCP: {4C20BBA4-3B4B-4E00-A492-DE31B1C809FC} = 10.0.0.41,10.0.0.43

O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\nzglonzt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 15:05:32
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(224)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'lsass.exe'(264)
c:\winnt\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Completion time: 03-01-2009 15:06:30
ComboFix-quarantined-files.txt 2009-01-03 17:06:30
ComboFix2.txt 2009-01-02 00:48:42

Pre-Run: 3.595.304.960 bytes free
Post-Run: 3,655,122,944 bytes free

141

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:15:20, on 03-01-2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Cisco-Linksys LLC\Wireless-G Notebook Adapter with SRX400\WPC54GX4.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RunUtility] C:\Program Files\Cisco-Linksys LLC\Wireless-G Notebook Adapter with SRX400\WPC54GX4.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0854992881
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.fujifilm.cl/falabellav2/reve ... Upload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = larra_dom
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C20BBA4-3B4B-4E00-A492-DE31B1C809FC}: NameServer = 10.0.0.41,10.0.0.43
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = larra_dom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = larra_dom
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 6597 bytes

Free Malware Removal Forum

Win32/Banwor

Win32/Banwor

Re: Win32/Banwor

Re: Win32/Banwor

Re: Win32/Banwor

Re: Win32/Banwor

Re: Win32/Banwor

Re: Win32/Banwor

Re: Win32/Banwor

Re: Win32/Banwor

Re: Win32/Banwor

Re: Win32/Banwor

Re: Win32/Banwor

Re: Win32/Banwor

Re: Win32/Banwor

Re: Win32/Banwor

Who is online